Tuesday, 24 December 2013

Telegram secret chat geolocation leak.


UPD: I've just received  confirmation from Telegram, that a patched version was released a few  hours ago.  Here is the patch on github.

A few days ago Mr. Durov announced bug bounty for Telegram protocol decryption. Futher it will be shown how private data from a secret chat can be captured without any decryption methods due to a design failure.

Test environment:
- Android 4.3 launched in Virtual Box,
- Wireshark launched on host machine,
- HTC One with Android 4.0.3,
- Telegram 1.3.800 (in virtual box)

Method:
Let's install Telegram and create users Alice and Bob. After that, we are creating acconts in Telegram and adding each device to other's contact list.



Now we are starting a secret chat:



Sending a test message:


As we can see in wireshark - all data goes through SSL, and looks encrypted.

But what if we'll try to send attachment, for example a geolocation? Geolocations of secret chat members could be quit interesting in some cases :)? Let's tap 'send' button...







Bum!! We've got a clear-text TCP session!  Let's take a look a bit closer..





Telegarm uses a default unencrypted google-maps API to resolve map snippet. From a security and anonimity point of view this is THE fail. It means that a person who controls the channel can capture all "geo-attachments" going through a secret chat in both ways (incoming and outgoing) using just a passive sniffer.

In practice,  if  Mr. Snowden will send his geo-location using Telegram to someone, who is under NSA wiretapping, a tomahawk will be enough to make Gen. Alexander satisfied.

18 comments:

  1. Thank you for pointing that out! One of the Telegram apps for Android did use Google Maps in http-mode. The source code is fixed by now by the app developer, and the update is on its way to Play Market.

    Thank you for enabling us to make the Android app more secure.

    Please write us a couple of lines to security@telegram.org, we would like to reward the person who found the bug.

    Merry XMas,
    Telegram Team

    ReplyDelete
  2. This comment has been removed by a blog administrator.

    ReplyDelete
  3. Nice job)))
    Waiting for a response Durov?

    ReplyDelete
  4. After installing telegram App a total stranger appeared on my connection.

    ReplyDelete
  5. i have cracked telegram iOS encrypted messages. Where could i publish the code for it?

    ReplyDelete
  6. can you contact me on captain@rainn.co

    ReplyDelete
  7. Technology is developing by leaps and bounds. The Climate is changing with its own dynamic approach. Today cellular phones especially there functions and Android Apps In Pakistan Has Provided a great charm to technology and all.

    ReplyDelete
  8. This is really awesome. Full of knowledge and latest information about web design.service web design

    ReplyDelete
  9. Great! Thanks for sharing the information. That is very helpful for increasing my knowledge in this fiel
    Red Ball | | duck life | Slitherio
    Red Ball 2 | Red Ball 3 | Red Ball 4

    ReplyDelete
  10. Thanks for sharing with us telegram secrets, its android App is not so good and nor it is up to date, but I don't know about the recent progress of app, whether they fix the problems or not.

    Dental Websites Optimized360 dental websites to flourish your dental practice.

    ReplyDelete
  11. Thanks for the best blog.it was very useful for me.keep sharing such ideas in the future as well.this was actually what i was looking for,and i am glad to came here!
    five nights at freddy's 3 | five nights at freddy's 2 | fireboy and watergirl 3 | 2048 game online | duck life 3 | fireboy and watergirl 6

    ReplyDelete
  12. Very helpful advice in this particular post! It’s the little changes that make the largest changes. Thanks for sharing!
    minecraft 2 | baixar facebook | baixar whatsapp | facebook baixar | baixar photo grid

    ReplyDelete
  13. I really think that you could find a lot of useful info in this spyera review blog

    ReplyDelete
  14. Did you know that it's so easy to be a spy today with that simple hoverwatch app? Check it out!

    ReplyDelete
  15. Recently I've found out how to spy on someones iphone so I want to share my knowledge with you

    ReplyDelete
  16. Thanks for this post Queader! Now I've got to get on and implement more thank you.

    gclub online
    goldenslot
    สูตรบาคาร่า

    ReplyDelete